Security proof of a three-state quantum key distribution protocol without rotational 

symmetry 
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Standard security proofs of quantum key distribution (QKD) protocols often rely on symmetry 
arguments. In this paper, we prove the security of a three-state protocol that does not possess 
rotational symmetry. The three-state QKD protocol we consider involves three qubit states, where 
the first two states, |0 Z ) and |l z ), can contribute to key generation and the third state, ]+} = 
(|0~) + |l-))/v / 2, is for channel estimation. This protocol has been proposed and implemented 
experimentally in some frequency-based QKD systems where the three states can be prepared easily. 
Thus, by founding on the security of this three-state protocol, we prove that these QKD schemes are, 
in fact, unconditionally secure against any attacks allowed by quantum mechanics. The main task 
in our proof is to upper bound the phase error rate of the qubits given the bit error rates observed. 
Unconditional security can then be proved not only for the ideal case of a single-photon source and 
perfect detectors, but also for the realistic case of a phase-randomized weak coherent light source 
and imperfect threshold detectors. Our result on the phase error rate upper bound is independent 
of the loss in the channel. Also, we compare the three-state protocol with the BB84 protocol. For 
the single-photon source case, our result proves that the BB84 protocol strictly tolerates a higher 
quantum bit error rate than the three-state protocol; while for the coherent-source case, the BB84 
protocol achieves a higher key generation rate and secure distance than the three-state protocol 
when a decoy-state method is used. 

PACS numbers: 03.67.Dd, 03.67.-a 



I. INTRODUCTION 

Quantum key distribution (QKD) allows two dis- 
tant parties to expand a previously shared secret key 
by sending quantum states through a quantum chan- 
nel. The most well-known QKD protocol is the BB84 
protocol 0, which has been proved unconditionally se- 
cure against any attacks allowed by quantum mechanics 
HHHliiHHHIHHS- standard security proofs of 
many QKD protocols, including the BB84 protocol, the 
SARG04 protocol El EE El El , the symmetric three- 
state protocol flrl 1 1 Til . and the generalized rotationally 
symmetric protocol |!8lll9j |. often rely on rotational sym- 
metries. In this paper, we prove the security of a QKD 
protocol that does not possess rotational symmetry. The 
protocol involves Alice sending one of the three qubit 
states {|0 Z ),|1 Z ),(|0 Z ) + \l x ))/y/2} to Bob, where the 
first two states are for key generation, and the third state 
is for channel estimation. Note that this protocol is sim- 
ilar to the BB84 protocol in that they share the same 
three qubit states. In fact, in practical implementations 
of the BB84 protocol, when one of the four laser sources is 
out of operation (due to, for example, malfunctioning), 
the QKD scheme implemented becomes the three-state 
protocol that we consider in this paper. The security 
proof of the three-state protocol analyzed in this paper 



then assures that even the handicapped BB84 protocol 
can still be secure in these situations [2£j . This three- 
state protocol has also been proposed and implemented 
in some frequency-based QKD systems 0, 1^2, 113 1 ■ In 
these frequency-based systems, the state |0 Z ) (|l z )) is 
represented by a pulse in frequency ujq (cJi), while the 
state (|0,z) + |l z ))/v2 is represented by a pulse in a su- 
perposition of the two frequencies. In these systems, it 
is relatively easy to generate the three states and thus 
the three-state protocol is well suited for these systems. 
In order to understand the security of these systems, a 
rigourous security analysis of the three-state protocol is 
in order, and it is the purpose of this paper to provide 
such an analysis. We note that a similar protocol has 
been proposed and implemented in some time-bin-bascd 
QKD systems [H El IH HHH . In one time-bin-based 
scheme j2^|, each signal is associated with two time po- 
sitions and there are three different signals. A logic 
(1) is represented by a light pulse in the first (second) 
position and no pulse in the other position; while a de- 
coy signal is represented by a superposition of a pulse in 
the first position and a pulse in the second position. The 
channel is estimated by checking the coherence between 
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Note that some of these systems actually prepare the state |0z) + 
|l z ) instead, which has a different normalization (without the 
factor of \/2) than the one we consider. These QKD systems 
are not qubit-bascd and thus our security proof is not directly 
applicable to them. 
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two consecutive non-empty pulses appearing within or 
across the bit separations. This gives rise to the differ- 
ence between this protocol and the one we consider in 
this paper. If only the coherence within the bit separa- 
tions was checked, then it is equivalent to our protocol. 
Thus, the analysis in the paper does not directly apply 
to this particular time-bin-based scheme. On the other 
hand, the result of this paper suggests that even if only 
the coherence within the bit separations is checked, un- 
conditional security can still be established, thus making 
it unnecessary to check for the across-the-bit coherence 
for the sake of achieving unconditional security. This 
means that a secure time-bin-based scheme can be built 
by implementing the three-state protocol analyzed in this 
paper, where the channel-estimation state is realized by 
checking the within-the-bit coherence. 

In this paper, we prove the unconditional security 
of the three-state protocol not only for the case of a 
single-photon source, but also for the case of a phase- 
randomized weak coherent-state source. Essentially, the 
reason that the protocol is secure is because the informa- 
tion gain by an eavesdropper implies disturbance in the 
signals received by a legitimate receiver. Here, our main 
task is to make this argument rigourous and quantita- 
tive. To do this, we upper bound the phase error rate of 
the key-generating qubits using the bit error rates of the 
key-generating qubits and the channel- estimation qubits 
(c.f. Eq. with the assumption that a single-photon 

source is used. Once the phase error rate is estimated, 
we may establish the security of the protocol by apply- 
ing Shor-Preskill's argument when a single-photon 
source is used, and by applying the result of Gottesman- 
Lo-Lutkenhaus-Preskill fGLLP) Jl and the decoy-state 
method [13, E3, E3, HE E3, HE H3, Hl| when a 
coherent light source is used. We remark that our result 
on the phase error rate upper bound is independent of 
the loss in the channel, similar to the BB84 protocol. 

The paper is organized as follows: We first describe 
the three-state protocol in Section [B] In Section ITTT1 we 
upper bound the phase error rate of the key-generating 
qubits. This upper bound can then be used to compute 
the key generation rate for both the ideal case and the 
realistic case in Section llVl We finally conclude in Sec- 
tion El 



II. THE PROTOCOL 

In this section, we outline the three-state protocol in 
prepare-and-measure version which is how it can be im- 
plemented in reality without a quantum computer, and 
in entanglement distillation protocol (EDP)-based ver- 
sion which is equivalent to the prepare-and-measure form 
and is used mainly for proving the security. In the follow- 
ing, we assume that Alice and Bob are equipped with a 
perfect single-photon source and perfect detectors. Also, 
only the qubits detected by Bob are considered, and thus 
the security proof of this protocol is loss independent. 



We use the following notations: the eigenstates in the 
Z basis are |0 Z ) and |l z ), whereas the eigenstates in the 
X basis are |+) 4 (|0 Z ) + \l z ))/y/2 and |-) 4 (|0 Z ) - 
|1,»/V2. 

A. Prepare-and-measure version 

We outline the protocol as follows: 

1 Alice chooses a random 87V(1 + <5)-bit string a, where 

5 > is a small parameter. For each bit i, if ctj = 0, 
she transmits a state randomly chosen in the |0 Z ), 
|l z ) basis; if a, = 1, she transmits |+). 

2 Bob receives the 8N(1 + 5) qubits and using a random 

8N(1 + (5)-bit string b measures each qubit in the 
Z basis (if bi = 0) or the X basis (if bi = 1). 

3 Alice announces a and Bob announces b. 

4 They discard any results where a% ^ bi. With high 

probability, there are at least 4N bits left and 2N 
of them belong to each basis. Alice decides TV bits 
in the Z basis as the check bits and the remaining 
TV bits in the Z basis as the data bits. 

5 Alice and Bob announce the values of the N check bits 

in the Z basis and the 27V check bits in the X basis. 
They compute the quantum bit error rates for the 
two sets separately. We denote the two quantum bit 
error rate (QBER) values by ej, and a, respectively. 

6 They choose an error correcting code capable of cor- 

recting errors at a bit error rate of ef,. Alice com- 
putes the bit error syndrome of her data bits using 
this code and transmits the syndrome to Bob. Bob 
corrects the errors in his data bits. 

7 They estimate the phase error rate e p of the data bits 

from e& and a and choose a binary block code capa- 
ble of correcting errors at a rate of e p . They apply 
the generator matrix of the code to their data bits, 
producing the final secret key. 

We remark that the data bits consist of only the key- 
generating qubits {|0 Z ) , |l z )}, while the check bits consist 
of all qubits, {|0 Z ) , |l z ) , |+)}, of which the first two are 
also used for the key generation and the third is only for 
channel estimation. The task is to estimate the phase 
error rate, e p , of the data bits from the bit error rates, e\, 
and a, of the check bits. Also note that this three-state 
protocol is very similar to the BB84 protocol. The only 
difference is that the |— ) state in BB84 is not used in this 
protocol. 

B. EDP-based version 

Now we describe the equivalent EDP-based QKD pro- 
tocol. During the quantum state transmission phase, Al- 
ice sends Bob AN quantum signals through a channel 
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controlled by an eavesdropper Eve. Specifically, for the 
I th signal, Alice prepares the state 



I* 



1 



AB - ^ |0>K |0*> J0,) B + ^= |l z ) Jl z > fl 



1 

V2 



V2 



1 



(1) 



and sends system B to Bob through Eve while keeping 
system A to herself. In the most general attack by Eve, 
she interacts the AN signals sent by Alice and some an- 
cilla with an unitary operation. An output qubit from the 
unitary operation is then sent to Bob for the I th transmis- 
sion. We assume that Bob always uses the same basis as 
Alice for each qubit pair, since the qubit pairs where Al- 
ice and Bob measure with different bases are discarded. 
Specifically, for the 2N check qubit pairs in the ll)^ part, 
Bob measures in the {|+) , |— )} basis, and since Alice al- 
ways sends the |+) state to Bob, he declares an error (no 
error) if the measurement outcome is |— ) (|+)). This al- 
lows him to compute the QBER for this part, which we 
denote by a. For the 27V qubit pairs in the 10)^ part, 
Alice and Bob randomly choose N of them as check qubit 
pairs and compare their values publicly. They both per- 
form Z basis measurements on them and announce their 
measurement outcomes in order to compute the QBER 
for these N qubit pairs, which we denote by ef,. An error 
correcting code capable of correcting errors up to a bit 
error rate of ef, can be used by Alice and Bob to remove 
errors in the remaining N data qubit pairs, which are 
then privacy amplified to produce the final key. Since 
the amount of privacy amplification needed to eliminate 
Eve's information on the final key is indicated by the 
phase error rate of the data qubit pairs (denoted by e p ), 
Alice and Bob need to upper bound this quantity from 
what they observed, eb and a. In what follows, we solve 
this problem of upper bounding e p given fixed values of 
eb and a. Once e p is obtained, the key generation rate 
can easily be computed using e p and e^. 



III. UPPER BOUNDING THE PHASE ERROR 
RATE 

In this section, we solve the main problem of upper 
bounding the phase error rate in the data qubit pairs, 
using the bit error rates observed in the check qubit pairs. 
The values ef, and a are actually observed in the check 
qubit pairs, not in the data qubit pairs. On the other 
hand, we are interested in the bit error rates of the data 
qubit pairs, not the check qubit pairs. In order to relate 
eb and a to the data qubit pairs, we apply a random 
sampling argument to infer that what is observed in the 
check qubit pairs is very close to what could be observed 
in the data qubit pairs. Specifically, the random sampling 
argument can be stated as follows: 

Lem ma 1 (Random sampling test (see, for exam- 
ple, |39|)). Given 2N bits, they are randomly divided 



into two sets, each containing N bits. Then, 

Pr{ct < 8N and c 2 > (5 + e)N} < cxp[-0(e 2 N)}, (2) 

where c\ and ci are the number of ones in the two sets, 
5 < 1 is some fraction representing the number of ones, 
and e > is a small parameter. 

Therefore, with high probability, the bit error rates 
of eb and a could be observed in the data qubit pairs. 
Note that the use of classical probability argument is 
valid here, since the events contributing to ef,, e p , and 
a are outcomes of a projection measurement projecting 
onto the states {\0) K \(/>ij) ,\l) K \4>vj>): i,j,i',f = 0,1}. 
Here, \<f>ij) are the Bell states: 
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(\oi) z + (-iy\ii) z ). 



(3) 



In what follows, because of this random sampling argu- 
ment, we assume that the QBERs eb and a are also ob- 
served in the N data qubit pairs. Now the model be- 
comes Alice sending N data qubits to Bob through Eve 
who may perform on them any joint operation that are 
consistent with and a. Since we only consider the 
data qubit pairs, we index them from I = 1 to I = N 
for simplicity. Eve's operation on the I th data qubit pair 
can conveniently be represented in the Kraus (or opera- 
tor sum) form, £^(p) = X)/ E^'^pE^ 1 '^ , where the set 
of operator {E^'f' : V/} defines the mapping for the ^ th 
data qubit pair, and all the other data qubit pairs have 
been traced over. Recall that the our main problem is 
to upper bound e p over all Eve's operations that 
are consistent with the observed values of eb and a. Es- 
sentially, there are two constraints in our optimization 
problem - one associated with eb and the other with a. 
We first consider the constraint with a by computing the 
correct /incorrect probabilities associated with each data 
qubit pair if a measurement in the \1) K basis were to be 
performed. In this basis, there are only two outcomes - 
either that Alice sends |+) and Bob receives |+) (no bit 
error) or that Alice sends |+) and Bob receives |— ) (a bit 
error) . The corresponding probabilities are 



pC0_ A p r { error a t position 1} 



p(0 a p r | no error a t position 1} 

= A-A B (l + +|£ (i) (|*}(*|)|l 
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(4) 



(5) 



(The notation used is that H — (++) in the subscript 
means that Alice sends |+) and Bob measures | — ) (|+)).) 
To construct the first constraint, we need to relate these 
two probabilities for the data bits to a. Note that they 
are not related in a straightforward manner, since a is the 
observed bit error rate in the data qubit pairs (inferred 
from that of the check qubit pairs using the random sam- 
pling argument) while we only have probabilities of each 
data qubit pair on hand. In this situation, we utilize 
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Azuma's inequality I4 | to establish the relation, as used 
similarly in [lj, [Tj| [Jj|. To proceed, we obtain Eve's 
operation on the Z th qubit pair, £"'{■), by tracing over 
the previously measured qubit pairs conditional on their 
measurement outcomes and unconditionally tracing over 
the qubit pairs to be measured later. This means that 
the two probabilities in Eqs. I@J) and Q are now con- 
ditional probabilities, conditional on the measurement 
outcomes of the previously measured qubits. Consid- 
ering each event separately, Azuma's inequality asserts 
that the sum of the error (no error) probabilities over all 
qubits is close to the observed counts of the error (no 
error) events. Mathematically, it means that 



Pr 



c+± 



V w n {l) 



N 



> e 



< 2exp 



-Ne 2 /2 



(6) 



where c-| (c++) is the observed counts of the error (no 

error) events, p^}_ (?>++) is error (no error) probabil- 
ity for the I th qubit pairs given by Eq. (QJ (Eq. J5J)), 
and e > is a small quantity. Note that this proba- 
bility drops exponentially as N increases. Now, since 
a = C-| /(c-| + C++) by definition, it is easy to relate 

P+± 



to a as N goes to infinity as follows: 
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Note that no actual measurement in the {|+) , |— )} ba- 
sis is performed on the data qubit pairs (only measure- 
ments in the {|0 Z ) , |l z )} basis are performed on them) 
and thus we have no measurement outcomes of the ear- 
lier qubit pairs to explicitly form £ Nevertheless, 
Eq. J7J) holds for any measurement outcomes, and there 
is no need to know what these outcomes are. Note that 
as an alternative to Azuma's inequality, the quantum de 
Finetti theorems 0, 0> 0* 0] may be used to argue 
that the entanglement between a subset of the randomly 
permuted qubit pairs vanishes, establishing Eq. J2J also. 
In this case, a sublinear number of qubit pairs have to be 
discarded. 

By the same token, the second constraint of our opti- 
mization problem associated with eb can be constructed 
in a similar way. In this case, there are four possibilities 
associated with the data qubit pairs: no error, a bit er- 
ror, a phase error, and both types of errors. Thus, they 
give rise to the following four probabilities: 

K (0\AB(cl>rs\£ {l} mm\<t>r S )AB\0)K, (8) 

r,s = 0, 1, 
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where \<f> rs ) are the Bell states defined in Eq. Q. 
ing Azuma's inequality gives 
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Therefore, our optimization problem becomes maximiz- 
ing e p given in Eq. 1)10(1 over Eve's operations £"'(•) sub- 
ject to Eqs. and ©. To simplify the problem, by 
using the parameterization E^ l A) 



AUh 



Y + a,g^Z and explicitly evaluating p^ J ± and q\. 
we re-write the maximization problem as follows: 
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where the maximization is over all a^ j; , /3 = I,X,Y,Z. 
Note that the summation over all the qubit pairs / in this 
problem signifies that Eve's attack is a joint attack. How- 
ever, the following theorem says that a collective attack 
by Eve is as powerful as a joint attack in the sense of caus- 
ing the same bit and phase error rates {e&,a, e p }. Fur- 
thermore, Eve's collective attack only needs to consist of 
one Kraus operator. This theorem essentially eliminates 
the need to consider joint attacks in upper bounding the 
phase error rate. 

Theorem 1 (Reduction from a joint attack to a 
collective attack) . For the three-state protocol, any val- 
ues of the bit and phase error rates {eb, a, e p } achievable 
by any joint attack consisting of any number of Kraus 
operators are also achievable by a collective attack con- 
sisting of only one Kraus operator. 
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Proof. The 
{ 



AU) AU) 



idea 

(U) 



is 

(U) 
z 



that 
} and {, 



any 



two 



sets 



,(*',/') „(*',/') Ai'J') 



} can be combined into one set without changing 



.(*',/') 
a z 

the values of eb, a, and e p (see Appendix 0. Repeated 
applications of this idea can reduce any number of 
sets into one set. This means that whatever values of 
{eb, a, e p } achievable by any number of sets are also 
achievable by just one set. □ 

The consequence of this theorem is that it is sufficient 
to consider (I, f) taking on only one value (i.e. drop- 
ping the summations over I and /) in the maximization 
problem in Eq. I|ll|) without loss of generality. This is 
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an important consequence since the original maximiza- 
tion problem in Eq. (|llf) involves infinitely many opti- 
(i f) 

mization variables (a^ , VZ, /), and the new maximiza- 
tion problem involves only four optimization variables 
(ai,ax,aY ,0-z)- This is a significant simplification in 
the problem. Note that the reduction from joint attacks 
to collective attacks was first discussed in Ref. ■ The 
idea was also implicitly used in Ref. |lOj . Similar re- 
duction results with explicit proofs were also obtained 
in an information-theoretic security proof [4^ | and can 
also be deduced from the quantum de Finetti theorems 
[4lL H3 . IZsl l44j . These two techniques are different from 
ours. In particular, the difference between the techniques 
involving the quantum de Finetti theorems and ours is 
that the former requires discarding a sublinear number of 
qubits and ours does not require any discarding. This dif- 
ference may have practical implications when the number 
of qubits is finite. Even though the number of discarded 
qubits in the de Finetti approximation is insignificant in 
the asymptotic case, it may be significant in the finite sit- 
uation. The difference between the information-theoretic 
security proof and ours is that in the former, a collective 
attack is equal to a joint attack in the sense that the 
smooth Rcnyi entropies of the states in the two attacks 
are roughly equal, and in our proof, the two attacks are 
equal in the sense that they both cause exactly the same 
bit and phase error rates. Also, we further show that it 
is sufficient to consider a collective attack consisting of 
only one Kraus operator as opposed to infinitely many 
Kraus operators. 



with each other. This results in the following problem: 



max 



s.t. 



\ax 

e b :■■ 



az\ +\ay\ 

2 + '~ 12 
1 



\a Y \ 

- eb 



a 



1 — ot 

a 



= 1 



2 |aj| lojsrl 



\a Y \' 



2 \a Y \ \a z \ 



(18) 
(19) 
(20) 

■(21) 



Since the feasible region in (|o/|, |ajf|> \&y\, \&z\) is de- 
scribed by three constraints, we can eliminate two of 
them, namely a/ and ax, to get one single constraint 
describing the feasible region in terms of (|ay|, \ az\) by 
substituting Eqs. JTJJ and (J5UJ) into Eq. 



(e b - \a z \ 2 ) + (1 - \a Y \ 2 ) + 2y/\-\a Y ?^£ b -\az[' 
a{\a Y \ 2 + \a z \ 2 - 2\a Y \\a z \). 



(22) 



Squaring both sides gives a quartic equation, which ad- 
mits four solutions for \az\ in terms of \a Y \. However, 
there are only two valid solutions in the region e b < 1/2 
and a < 1/2: 



1 



a 



M±v/a(l-|ay| 2 )± 



(23) 



-1 



- e 6 (l + &)- \a Y \ 2 {a - 1) ± 2\a Y \y/a(l- \a Y \ 2 ) 



e b , a < 1/2, 



A. Exact upper bound 



In order to simplify the maximization problem in 
Eq. Qllfl. we first write it as 



max 
s.t. 



(\a z \ 2 + |ay| 2 ) e b 



\a x \ -+ 
1 - e b 

e b 
1 - a 



\a Y \' = 1 

= M 2 ' 



\a z \ 
2 



\ai + ax\ 
\ia Y — azY 



(14) 
(15) 
(16) 

(17) 



where the signs are ( h) and (+ H — ). Since \az\ is 

part of the objective function of the problem in Eq. {TS)l. 
we want to use of the solution of \az\ that is the largest. 
Therefore, we use the solution of \az\ with signs (+ H — ) 
and the problem becomes 



max I \a z \ 2 + \a Y \ 2 

lay |<1 



('b 



(24) 



where \az\ substituted from Eq. with signs (+ + 
— ). This problem can be solved numerically for some 
fixed e b and a to obtain an upper bound on e p (which 
is the objective value of the problem). Note that Eve 
can always construct an attack with e p = 1/2 that is as 
powerful as any arbitrary attack with an arbitrary e p < 1 
[47j . She can construct this new attack by launching half 
of the time the arbitrary attack and the other half of the 
time the arbitrary attack with a phase flip operation. In 
this way, the phase error rate of this new attack is 1/2. 



where the first constraint is introduced to fix the scaling 
of ap's, the second and third constraints are rearrange- 
ments of Eq. ijT^ and Eq. (fH5j) . To simplify the problem 
further, we note that in order to maximize the objective, 
the third constraint should be taken so that aj and ax 
are in phase with each other and ia Y and az are in phase 



B. Limiting cases 

We need to deal with the cases that e b = 0, a = 0, or 
both separately. For the case that e b = and a > 0, we 
see from Eq. (|12|l that ax = a Y — and thus e p = a. 
For the case that e b > and a — 0, we see from Eq. 113|) 
that az = ia Y and thus e p < 2e b . For the case that 
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eft = and a = 0, we have ax = ay = o-z = and thus 
e p = 0. Note that the last case is consistent with the idea 
that information gain implies disturbance. Since there is 
no disturbance in that case, no information is gained by 
Eve and thus e„ = 0. 



C. Closed- form approximate upper bound 

It may be difficult to solve the problem in Eq. 1|24|) 
analytically. Thus, in order to obtain an analytical upper 
bound on e p , instead of using the exact value for \az \ from 
Eq. i|23|) . we use an upper bound of \az\ which is given 
by 



< 



1 



a\a Y \ + y/a(l-\a Y \ 2 ) + 



v /-l + eft(l + n) 



(25) 



We use this upper bound for \az\ hi the problem 

max.\ av \<i (jaz| 2 + lj eft. Since the objective value of 

this problem is larger than or equal to the objective value 
of the original problem in Eq. (|24|l . the solution of this 
problem is definitely an upper bound (but may not be 
tight) on e p . The solution to the approximate upper 
bound is 



< 




6ft 



(26) 



2\J a(l - a)e b (l - e b - e b a), eft, a < 1/2. 



Note that the three special cases in Section lill Bl can be 
obtained by taking the corresponding limit in Eq. Q26J1. 
In order to illustrate how good the approximate upper 
bound in Eq. Q26jl is compared to the optimal one ob- 
tained by solving the problem in Eq. (|24|) numerically, 
we plot in Fig. ^ the two bounds on e p over different 
values of e b assuming e b = a. It can be seen that the 
approximate bound is very close to the optimal one, es- 
pecially for small e b - Note that one may obtain another 
simple bound on e p from Eq. (|26|l as 

e p < a + 2e b + 2^^. (27) 

This bound is close to the bound in Eq. Q26|l when both 
e b and a are small. 
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FIG. 1: Comparison of the approximate upper bounds on e p 
in Eq. Q26ft and Eq. I|28|l with the optimal one obtained by 
solving the problem in Eq. (12 It . assuming ej, = a. The solid, 
dashed, and dotted curves (from bottom to top) correspond to 
the optimal bound (Eq. 124H h the general approximate bound 
(Eq. 1261 h and the specific approximate bound (Eq. (1281 h 



tuting a = e b in Eq. I|27|) . we get 
e„ < 5e b . 



(28) 



This linear relation, which can readily be observed in 
Fig. ^ is in sharp contrast to the e p = e b relation for 
the BB84 protocol; specifically, there is a factor of 5 in- 
crease (approximately) in the relation for this three-state 
protocol. 



IV. KEY GENERATION RATE 

In the previous section, we derived two upper bounds 
on the phase error rate for the three-state protocol; an 
optimal one is given by the solution of the problem in 
Eq. H24f> . and an approximate one is given by Eq. I|26|l . 
Using the phase error rate upper bounds, the key gen- 
eration rate can be readily obtained both for the single- 
photon source case and for the coherent-source case. Ob- 
viously, when comparing the performance of the three- 
state protocol and the BB84 protocol, the three-state 
protocol can only perform as good as, but no better than, 
the BB84 protocol, since one state is absent in the three- 
state protocol. Indeed, as we show in the following, the 
BB84 protocol is superior to the three-state protocol in 
the tolerable QBER, the key generation rate, and the 
maximal secure distance. 



A. Single-photon source and perfect detectors 



D. Special case: eb — a 

For the special case e b — a, a linear relation between 
e;, and the approximate e p can be derived easily. Substi- 



Whcn a single-photon source and perfect detectors are 
used, the key generation rate on the sifted key using lo- 
cal operations and one-way classical communications (T 
LOCC) can be obtained by applying Shor-PreskilPs ar- 
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FIG. 2: QBER bounds of the three-state protocol and the ef- 
ficient BB84 protocol. For the three-state protocol, the region 
below the solid curve is secure with 1-LOCC and the region 
above the dashed curve is insecure with 2-LOCC. The solid 
curve is computed using the approximate phase error rate up- 
per bound in Eq. 126H . while the dashed curve is computed 
using a method based on intercept-and-resend attacks (4*3 . 
For the three-state protocol, the QBER lower bound for the 
Z-basis states (the ^-intercept) is 0.075 and the QBER lower 
bound for the |+) state (the y-intercept) is 1/2. The 2-LOCC 
lower bound for the efficient BB84 protocol (dotted curve) is 
reproduced from Ref. |49t with a higher precision. 

gument [||: 

R = l-H 2 (e b )-H 2 (e p ), (29) 

where e p is either the approximate upper bound in 
Eq. 12611 or the solution of the problem in Eq. (|24() . and 
H2(x) = — x\og 2 {x) — (1 — x) log 2 (l — x) is the binary en- 
tropy function. Fig. |3 shows the secure region using this 
key generation rate with the approximate upper bound 
in Eq. (|26|l . The curve is found by searching for (e b ,oi) 
such that the key rate in Eq. H29f) is zero. The high- 
est tolerable QBER of the data bits is e b = 0.075 when 
a = 0; whereas the highest tolerable QBER of the check 
bits is a = 1/2 when e b = 0. Also shown in the figure 
are the upper bound for the protocol with local opera- 
tions and two-way classical communications (2-LOCC) 
computed using a method based on intercept-and-resend 
attacks proposed by us [481. a nd the lower bound for 
the efficient BB84 protocol l5oj w ith 2-LOCC. The lat- 
ter is reproduced from Ref. [4!j (the "Gottesman-Lo" 
curve in Fig. 2 of Ref. |4{|) with a higher precision. Wc 
can compare the three-state protocol with the efficient 
BB84 protocol regarding the tolerable bit error rates. It 
can be seen that the lower bound curve for the efficient 
BB84 protocol is above the upper bound curve for the 
three-state protocol. Thus, the efficient BB84 protocol 
can tolerate higher bit error rates than the three-state 
protocol. 

We consider the special case e b = a, which corre- 
sponds to a 45-dcgree line in Fig. [21 In this case, we 
may obtain the tolerable e b of the three-state protocol 
from the figure or by substituting the approximate rela- 



tion given in Eq. (|28|l into the key generation rate for- 
mula given in Eq. (|29|l . Using the latter method, we ob- 
tain a lower bound of e b = 0.0425, which is substantially 
lower than the one-way lower bound of BB84 (e b = 0.110 
0). The two-way lower bound of BB84 corresponds 
to the point where e b = a on the efficient BB84 curve 
in Fig. [21 and is equal to 19.9%. This is higher than 
the two-way upper bound of the three-state protocol at 
e b = a = 14.6%. Thus, the BB84 protocol strictly toler- 
ates a higher QBER than the three-state protocol does. 

B. Coherent source and imperfect threshold 
detectors 

In the previous section, we derived the upper bounds 
on the phase error rate of the three-state protocol with 
the assumption of a single-photon source. Nevertheless, 
we can easily establish security when a phase-randomized 
weak coherent light source and imperfect threshold de- 
tectors are used by a pply ing the decoy-state method 
IMIMIMIllSHlMlMlillll. In essence, the 
bit error rates of the single-photon emissions, e b and a, 
can be upper bounded by the decoy-state method. The 
phase error rate of the single-photon emissions, e p , can 
then be upper bounded either by using the approximate 
bound in Eq. I|26|) or by solving the problem in Eq. I|24f) . 
We can further utilize the result of Ref. Q , which proves 
the security of BB84 with an imperfect source, to find 
the key generation rate of the three-state protocol on the 
sifted key to be 

R < -QpftEJH^Ej + Qi[l - H 2 {e p )\, (30) 

where the subscript [i denotes the mean photon num- 
ber for the signal states, is the gain 2 of the signal 
states, En is the QBER of the signal states, Q\ and e p 
are the gains and the phase error rates of the single- 
photon states, f(x) is the error correction efficiency as a 
function of error rate, and H 2 (x) is the binary entropy 
function. 

Fig-Elcompares the performance of the three-state pro- 
tocol and the BB84 protocol by using the decoy-state 
method of Ref. |3(j ■ The simulation parameters used are 
from the Gobby- Yuan-Shields (GYS) experiment [5lJ and 
we have used f{E^) = 1.22. Here, the phase error rate 
of the single-photon emissions, e p , is upper bounded by 
solving the problem in Eq. (|24fl . As shown in Fig. [21 the 
BB84 protocol is better than the three-state protocol in 
both the key generation rate and the maximal secure dis- 
tance. Also, the slopes of both curves can be observed 
to be approximately the same at short and medium dis- 
tances. The difference in the key generation rates for 



2 The gain of a particular state (e.g. the signal state or the single- 
photon state) is the probability that Alice transmits that state 
and Bob's result is conclusive. 
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FIG. 3: Comparison between the three-state protocol and the 
BB84 protocol using the decoy-state method of Ref. |3fT |. The 
two key-generation-rate curves are computed from Eq. 11301 . 
The simulation parameters used are from the Gobby- Yuan- 
Shields (GYS) experiment [HjJ and we have used f(E^) = 
1.22. The optimal mean photon numbers, n, for both curves 
are used at all distances. The maximal secure distance is 
88.5km for the three-state protocol and 142.2km for BB84. 

the BB84 protocol and the three-state protocol can be 
determined from Eq. (|30|) . Note that for the BB84 pro- 
tocol, e p = eh, while for the three-state protocol, e p ~ 5e& 
(since we have e p — a in this model of the QKD setup). 
Thus, when the mean photon numbers, /z, for both pro- 
tocols are the same, the difference in the key generation 
rates is simply Qi(i?2(5e(,) — H 2 (eb)). On the other hand, 
when the mean photon numbers are different as in Fig. [3] 
where the optimal (i is always used, the difference in the 
key generation rates has to be calculated directly using 

Eq. Eg. 

V. CONCLUDING REMARKS 

In this paper, we considered a three-state protocol and 
proved its security. Specifically, we showed how the phase 
error rate of the data bits is upper bounded using the bit 
error rates observed in the check bits. This protocol is 
very similar to the BB84 protocol, sharing the same three 
qubit states. Essentially, we showed that, by removing 
one state from the BB84 protocol and thus destroying 
the rotational symmetry, the protocol is still secure. This 
three-state protocol is interesting in itself since it can be 
easily implemented in some frequency-based QKD sys- 
tems [2ll I22I |23| . The result of this work is that these 
QKD schemes are in fact secure against the most general 
attacks allowed in quantum mechanics. 

We compared the three-state protocol with the BB84 
protocol both for the single-photon source case and the 
coherent source case. Specifically, for the single-photon 
source case, we showed that the BB84 protocol can 
strictly tolerate higher bit error rates than the three-state 
protocol. For the coherent-source case, the achievable 
key generation rate and maximal secure distance of the 



BB84 protocol are both larger than that of the three- 
state protocol, when the decoy-state method of Ref. [3(j 
is used. In essence, the three-state protocol is inferior 
to the BB84 protocol; however, the three-state protocol 
does have its own merit of being easily implementable in 
some systems. 

We may consider some variations of the three-state 
protocol. In the three-state protocol we analyzed, Alice 
sends states in the Z and X bases with equal probabili- 
ties. This gives rise to Bob using the same basis as Alice 
with a probability of 1/2, and thus half of the qubit pairs 
are discarded. Although not done in this paper, one may 
improve on this inefficiency in basis mismatch by apply- 
ing the idea of efficient BB84 [5(j. In the asymptotic 
limit, Alice and Bob use the same basis with probability 
approaching one. 

In the analysis we provided, we upper bound the phase 
error rate of the Z basis states by using the average bit 
error rate of the two Z basis states and the bit error rate 
of the |+) state. On the other hand, it is possible to 
perform a more refined analysis by considering the three 
bit error rates separately, one for each of the states |0 Z ), 
|l z ), and |+). Although not addressed in this paper, 
such an analysis can be done in a similar manner as in 
this paper. In addition, one may consider a three-state 
protocol where the check state is not the |+) state but 
some other state that is an unequal superposition of the 
|0 Z ) and |l z ) states, or a four-state protocol involving 
the same three states as our three-state protocol plus 
a state not on the X-Z plane of the Bloch sphere (e.g. 
(|0 Z ) +i |l z ))/v / 2). In this case, it would be interesting to 
apply the same approach to analyze the security of these 
protocols. 
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Notes added 

After the first posting of our paper on the arXiv e-print 
server, we have learnt from Norbert Liitkenhaus about 
the existence of an independent proof of the security of 
the three-state protocol based on a different approach by 
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the Geneva group. Recently, such an independent proof 
has appeared in Appendix A of Ref . |§2 • 



where condition ijAlfl has been used to eliminate the 
square terms. From this, we can readily get 



APPENDIX A: SUFFICIENCY OF USING ONE 

SET OF { ai ,ax,a Y ,a z } 

In this section, we show that it is sufficient to 
consider using only one set of {ai,ax,ay ,az} in 
the problem in Eq. The idea is to construct 

a new set {aj,ax,ay, a z} from two existing sets 
where s — 1, 2, such that 



4i)U.W|U.«l +c (2)|„( 2 )|U.( 2 ) 



'x 



,(1)| 2 



'X 



,(2)|2' 



(A5) 



where we have again used condition (|A1() . All that is left 
to do is to verify that |c| < 1 as follows: 



\ a 


i 




2 + l4T 


P = 


I,X,Y,Z(A1) 




\iCLy — CLz 


2 






1 ■ (2) 

\ia Y 




|c| < 


\ai + a x 


2 


a? 


+ + 


(2) 

a\ - 


ha«| 2 (A3) 





are satisfied, meaning that the values of {eb,a, e p } (c.f. 
Eqs. Hll|) - (|13[l ) are preserved when the new set is used 
instead of the two existing ones. Note that condition (|A1|) 
already gives the magnitudes of the new ap's. Thus, only 
the phases of them remain to be found. Let us consider 
the terms with ai and ax (the case for ay and az are 
exactly the same). First note that we can express \ai + 
ax\ 2 — \ai\ 2 + \ax\ 2 + 2c\ai\\ax\, where |c| < 1 is a 
function of the phase difference between ai and ax and 
is what we need to determine next. Once we have found 
c, we can construct the new set by letting ax = \ax\ and 
a i = exp(i arccosc)|ctj|. 

To find c, we write condition i|A3() as 



do; ax 



cM\a<P\ 



+c (2) |4 2) ll<4 2) l 



(A4) 



I (2)11 (2)1 

K IK I 



-(1)1 2 

I ^ I "'j 

i + gi gx 



,(2)|2 



,(1)|2 



,(2)|2 



(A6) 



(A7) 



where the first inequality follows from the fact that 
Ic^-H < 1 and |c( 2 )| < 1, and we have used the dcfini- 



tions fl/ 4|o«|/|a« 



and g x 



(2) 



Now, it is 



,(i)| 







easy to show that the right hand side of Eq. (|A7() is less 

than or equal to 1. For the special case that 

i / I (i)i 
and/or \a x = 

trivially seen. 



0, the same conclusion of \c\ < 1 can be 



The construction of the new ay and az is similar to 
the above (which is for ai and ax), by using conditions 
IpHjl and JHJ|. 
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